wiki:org/operations/services/nextcloud

NextCloud evaluation for Tor Project

META TODO: add trac magic here listing all open issues in component 'Service - nextcloud'

User instructions are found over at the Instructions for using NextCloud for Tor Project page

Evaluation time period

April 1 to September 30 2019

Six months is long enough for finding out if this works for us, even when taking potential disturbances into account. The evaluation period can be shortened if it shows that we know everything earlier.

Who will be part of the evaluation group

NOTE: #29417 has a list of people

Must have

  • Seattle office folks
  • PMs

Maybe

  • Anybody interested?
    • Plus
      • might help to test scenarios/to catch issues not found with just having the groups in the "Must have" category
      • helps conveying the idea that this is a service for everyone at the Tor Project and not just a special group of employees
    • Minus
      • might make the evaluation process too complex and time consuming if a lot of folks are getting involved (e.g. we might not be able to help those who need it most as good as we could due to lack of resources in that case) UPDATE 2019-04-29: This concern seems less problematic than anticipated -- our users seem to figure things out by themselves pretty well. Even 2FA works for those who try it!
      • Migrating users and their data if we decide to move to a more permanent instance will be more time consuming and possibly more complicated the more users we have.
  • One person from each team
    • Identifying a) use cases in each area of what Tor is doing and b) potential cross-team communication issues

No thanks

  • Non Tor members
    • We provide services to Tor members

User functionality (ie applications)

We should minimize the number of applications, for minimizing not only the risk of security issues but also user support issues.

Must have

  • File Sharing -- sharing of folders and files, including device sync (a la dropbox)
  • OnlyOffice -- collaborative editing of documents; text documents, spreadsheets and presentations
  • Deck -- KanBan board (non-official app)
  • Calendar -- shared calendar using CalDav
  • Tasks -- shared task handling (non-official app) using CalDav
  • Contacts -- storing of contacts using CardDav

Maybe?

Not at this stage

  • Talk
    • We don't want to mess with a STUN and TURN server at this point

Infrastructure requirements

Replacing existing services

Sandstorm

  • [ ] calendar
  • [ ] KanBan
  • [ ] Pads

SVN

  • [ ] NC "File Sharing"

Google Docs

Who will help with the system

  • Training and education
  • User support
  • Service admin, ie nextcloud software updates, migration of data from existing platforms (SVN, Sandstorm, other)
  • System administration, ie providing a patched and networked operating system

Migration of data from existing services onto evaluation NextCloud

Copying data from SVN, Sandstorm, Google Docs and possibly other services. We'd have to "freeze", ie write protect, the data there, so that people don't update things in two places. This is not going to fly in the cases where _all_ the users of that data are not also on Nextcloud though, so some data will probably have to stay and _not_ be copied to Nextcloud.

SVN

There's at least three SVN repositories

  • public (#15948 but we dont care)
  • internal (#15949 gives some insight but we don't care)
  • corporate is the one we want to put in Nextcloud, possibly after some undefined sort and discard procedure

Sandstorm

What do we have in Sandstorm?

Google Docs

What do we have in Google Docs? Formally nothing but in practice probably quite a lot. Let this be self organized -- those who want to move a document off of Google into Nextcloud can do it after coordinating with their peers. We don't do that for them.

Migrating from evaluation onto a production environment

User credentials

User data

Open questions

  • can we use db.tpo? let's try to not be dependent on ldap queries in real time, but rather do what the rest of the infrastructure does -- extract a subset of the db and transfer it to the nextcloud system. this is what dip.tpo (gitlab) is aiming for too. https://github.com/nextcloud/user_sql might be useful.
  • what are the security promises of federated sharing? trusting DNS plus all the CA's? can we require DNSSEC? can we configure CA trust root? Nextcloud does not have any settings that require DNSSEC or specifically allow you to configure a CA trust root.
  • Should we run our own app store (see: https://docs.nextcloud.com/server/stable/admin_manual/apps_management.html)? One idea could be to only allow installing/updating apps from there and making sure apps are only in it after they have undergone some review.
  • How do updates work in a hosted environment, both for official apps and unofficial ones? Is there a way to make sure that updating app X does not prevent app X (or even app Y!) from functioning correctly after the update? If not, is there an easy roll-back button to fix this if needed?

Evaluation

TODO: Let's have users fill in a form of some sort, after some time.

  • what is good/ok/bad with X, for X in login, sharing, real-time editing, calendar, tasks, contacts, kanban, more

Resolved issues

Keeping them here for collective memory of decisions

RESOLVED regarding the riseup instance

  • what's our https endpoint? https://chouette.riseup.net, may also be accessed via https://nc.riseup.net
  • when can we start using it? april 1
  • can we have 2FA (TOTP) enabled? TOTP is enabled (using the "official" https://github.com/nextcloud/twofactor_totp#readme). Once can configure it by going to https://chouette.riseup.net/settings/user/security and look towards the bottom for TOTP (Authenticator app)
  • what does the "server encryption" look like? FDE
  • can we use "client encryption"? The "Server Side Encryption" option is enabled with the "Default Encryption Module". Users need to be very careful, because if they lose their password or recovery key, it may be impossible to recover their files!
  • what does the backup scheme look like? Incremental backups are done nightly of the database, and files to a different physical machine devoted to this purpose.
  • How do we treat apps security-wise? Do we want to review all apps before using them? Or maybe just the unofficial ones? And how about updates? Riseup reviews any 3rd-party apps before installation and updating

RESOLVED user management

  • can we configure NC to require 2FA for all users? We can configure it to require 2FA for your group, let micah know if you wish this enabled.
  • will our evaluation group be able to deal with 2FA? we wanted to aim high and fall back if necessary but user enrollment showed to be difficult with 2FA being enforced. let's nag users without 2FA enabled isntead.

RESOLVED Choosing a service provider

RESOLUTION: We've picked Riseup

We want to buy the service nextcloud, for the evaluation at least.

Current contenders include

  • riseup
    • plus
      • trusted people
      • have onlyoffice, and experience with users of it
      • user (and perhaps data too) migration _off_ of the evalutation instance might be less painful
    • minus
      • not entirely sure that we can have our own instance, but might have to share with riseup people. this would limit the alternatives of site wide settings, like requiring 2FA, possibly influence user handling, definitely affect choice of applications and the process for upgrading
      • riseup can setup a separate instance, on a dedicated server, if this is something that is desired. Perhaps after the evaluation period has ended, we can revisit this once it is determined if Nextcloud is something that people will want to use.
  • hetzner
    • plus
      • known reliable service provider (at least for co-location and VM's)
    • minus
      • there is no onlyoffice available, but can be provided elsewhere (on a separate server)

One possible option would be a combination of both -- NC from Hetzner and Onlyoffice from Riseup

Last modified 4 weeks ago Last modified on Apr 29, 2019, 10:00:46 AM